Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 16 replies
  • Subscribers 30 subscribers
  • Views 1492 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Trying to decipher Port Forwarding for XG (Home) software - web cams.

Sophos User5937

My goal is to have some webcams at home, each using their own dedicated Port number (same port #) through the Internet - Firewall - Switch - camera.  (Obviously the switch doesn't care.  But my web cams do care. 

I have posted a copy of my Firewall and NAT rules below. 

I have done this many times using cheap consumer firewalls and most recently on my Meraki MX device.  I moved from MX to the Sophos XG free solution on extra hardware I have around to take advantage of the higher download speeds that my ISP provides.  (My MX limitation is 250M). 

What disturbs me in the way that I have this working is that other than the fact that the server (camera) accepts the traffic via the specific port, neither the Firewall nor the NAT rules are doing anything except exposing the whole range of Port IDs to the Internet.  (Not happy about that).  Seems like I am asking for trouble.  Yet, on either the FW rule where I define the basic service protocols TCP and UDP - I cannot create more specific instances of these protocols with ONLY my desired port number (45953, for this specific camera).  I have experimented some with trying to use the NAT rule to define the Original Services (TCP, UDP) to a specific port number - and then using PAT - though every instance I try the NAT rules reject me because my Original and Translated Services are not identical.  I argue that they were the same, but there is something in the logic or design of Sophos that I clearly do not understand.

I am using Port 2 for Internet; (also have Port 3 Internet but a different ISP).  And incidentally I'm trying to use DYNDNS to manage my Non-Static IP Addresses on my two ISP connections.

Again - this is a home network. 

Internet WAN - Port #2 - Dynamic IP address

Server (Camera 2) - 172.16.16.82

Services TCP and UDP are default protocols from the list - so they include the entire range. 

My understanding is that the FW is allowing all packets in - and sending to this server -- I also have ZERO idea this afternoon if I am breaking something else on my network such as solicited connections to things like RING cameras, etc. 

And - What happens when I try to add rules for additional cameras ?  I believe based on my perceived logic of this config - that I have no FW nor NAT rule that really understands my desire to filter a single Port # (or small range of ports). 

Below is the Firewall Rule

Again - allowing TCP and UDP packets in but no other logic or filters.

When you finish laughing at me ..... Would love to better understand how to make this work for multiple devices (servers) each with a unique port.  Meanwhile I'm going to disable these rules. 

I did for kicks go to "Shields Up" at grc.com and found that my ports appear CLOSED with the only one OPEN is where the server itself responds.  Of course, I didn't check all of the range of ports to see what else I have exposed...

Thank you for any suggestions.

I'm not a CCNA - have done some work on that over the years, but the way these FW / vendor specific tools work, they don't seem to make logical sense.  And the examples I could find are also seemingly unclear. 

Sincerely,

Chris



This thread was automatically locked due to age.
  • 0

    Hi,

    1/. why are you trying to allow the cameras to the internet, what is out there that they will talk to?

    2/. you do need a NAT and having two ISPs you might need to consider sd-wan policies

    3/. your service definition would be something like 1:65535 to 45953

    4/. do not use the the service definitions of UDP or TCP they allow all services through.

    5/. DYDNS on an XG does not work with two ISPs

    Ian

  • 0 in reply to rfcat_vk

    Hi Ian

    Thanks!

    UPDATED FOR FORMAT Slight smile

    1/. why are you trying to allow the cameras to the internet, what is out there that they will talk to?

    It will only be myself or my wife looking at the cameras - of cats if we are away. 

    2/. you do need a NAT and having two ISPs you might need to consider sd-wan policies

    Agreed on the two ISPs / SD WAN rules.  For the moment I have completely ignored this.  I have them in a primary / backup setup today and am ignoring them as I attempt to learn how to make this work securely.

    3/. your service definition would be something like 1:65535 to 45953

    This is where I start to get into trouble.  A couple of things come to mind here -- so I am going to have multiple cameras each with their own Port #.  So my interpretation of the Service Definition of 1:65535 to 45953 - would become troublesome as I create the 2nd, 3rd, 4th rule etc.

    4/. do not use the the service definitions of UDP or TCP they allow all services through.

     So I don't know how I can be more specific than TCP and UDP packets.  To me if I could narrow it down to very specific port numbers that get opened up, then my security by obscurity plan lastly falls back on the end-device.  Not perfect - but not sure how to choose another "service" here in the protocol definition.  It is what worked on Meraki - though we could argue whether or not I had any security there or not. 

    5/. DYDNS on an XG does not work with two ISPs

     No doubt on DYNDNS.  My original thought is this.  The cameras support it. If an SD WAN or failover rule pushed me to the second ISP, then eventually DYNDNS could get updated by the camera logging into the service.  Not perfect - but that's ok.  

    Appreciate your guidance - unfortunately need to drill down a little further.

    Many thanks

    Chris

  • 0 in reply to Sophos User5937

    You could try investigating a WAF for each camera.

    For service definition you would have a different one for each camera, the 1:65535 (depends on UDP or TCP when creating it) is what will be sent to the XG which will translate that to  you camera service. You would need a rule like this source WAN, network any, destination  LAN, network camera 1, service camera 1, allow, log.

    Ian

  • 0 in reply to rfcat_vk

    That's an interesting approach.  I played with it a bit.  WAF has a requirement of https traffic.  The cameras support that, but some of these are not new devices.  No valid certs - and lack of newer TLS support...  So this one so far is not panning out well.  I do have one newer camera I have NOT worked with yet, but it might be an excellent candidate for the WAF strategy. 

    I am surprised that it appears (again judging my perception which may or may not fit the facts of capabilities of SOPHOS) - but it appears that the level of granularity of control at the port level is rather low.  By the same token I have not worked with Cisco nor Fortinet FW's directly - but it always seemed that they had more capabilities.  And yet the other elements around security for these devices is excellent. 

    I'm open to suggestions if anyone has anything to offer.  Otherwise I may wind up moving my security back to the Meraki MX which does have the granularity I am looking for.  That device is reaching end of sale and at some point won't be supported. 

    While I'm thinking out loud - I am assuming that the SOPHOS does not have any different capabilities approaching it from an IOS command line perspective ???  [insert "asking for a friend" here....}  LOL

    Thanks Ian

    Within a few days maybe I'll know if I have exhausted my work here.  I am learning - so that I do appreciate.  Slight smile

    Chris

  • 0 in reply to Sophos User5937

    Hi Chris,

    I am  not sure what you mean by granularity? When you are outside the firewall the sending device will use a range of ports that is why you set 1:65535 to 49xx. if you set the service to 493x to 493x most if not all times the connection will fail. The  meraki will be doing the same thing, just maybe you were not aware of it?

    If you wish to see examples of this please review logviewer reports.

    Ian

  • 0

    I use a VPN, it's more secure than opening ports. Then I use the manufacturer-provided app on my iPhone to view my cameras.  It works great. 


    I use Tunnelblick on my MacBook and OpenVPN on my iPhone.

  • 0 in reply to Brian1941

    Sorry for the delay.  That is an EXCELLENT recommendation.

    I have been stuck trying to piece together the VPN setup unfortunately - without tons of time nor much luck.

    Which VPN option did you ruse?  IP-SEC or SSL-VPN?  I have set up VPN on Meraki, but (similar concern as I had with port forwarding) - just feels like this is harder than it should be...  LOL - I could do it on Meraki - behind the SOPHOS FW - but then I have the same port forwarding issues that I started with.  LOL 

    Chris

  • 0 in reply to Sophos User5937

    I would be interested to know the same.  I have a ton of cameras that I do not want to port forward for all of them.  I have an NVR that will allow access to all of them from the network and a VPN sounds like the easiest and most secure way to accomplish this.   If you get it working, I'd appreciate your experience.

  • 0 in reply to Brian1941

    Do you have details on how you did this?

  • 0 in reply to Sophos User5937

    Hi

    I used SSL-VPN with the OpenSSL app on my iPhone.  I downloaded the VPN profile from the XG user portal, changed one of the 'remote' lines in the .ovpn with my DDNS, i.e., 'remote xxxxx.ddns.net', then sent that to my iPhone where I added it into the OpenSSL app.

    I then connected to my VPN and watched the webcams via the NAS' cam app. I can also use the app from the camera manufacturer to view the camera, all using the local IP address of the cameras.

    This also works with the Tunnelblk app on my MacBook Pro.